Today the DHS ICS-CERT published a control system security advisory for an unquoted service path escalation vulnerability in Moxa’s Active OPC Server application. The vulnerability was reported by Zhou Yu. Moxa has produced a new version to mitigate the vulnerability. ICS-CERT reports that Yu has verified the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker with local access and network credentials could exploit this vulnerability to allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.